In The Event Of
M

Medibank Data Breach 2022:
What You Need to Know

Approximately 9.7 million Medibank, ahm, and international student customer records were exposed after attackers used stolen VPN credentials to access internal systems. Here is what happened, what data was leaked (including sensitive health claims), and steps you can take to protect yourself.

Breach date:October 2022
Records affected:~9.7 million
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Medibank Breach Unfolded

August 2022

Credentials belonging to a third-party IT services provider employee were stolen using an infostealer malware variant. These credentials granted access to Medibank's internal systems via a VPN that did not require multi-factor authentication.

13 October 2022

Medibank detected unusual activity on its network and immediately engaged cybersecurity specialists. The attackers had already exfiltrated data over the preceding weeks.

7 November 2022

After weeks of investigation, Medibank confirmed the full scope: 9.7 million current and former customers across Medibank, ahm, and international student policies were affected. Medibank announced it would not pay the ransom demand (reported at US$10 million).

9 November 2022

The attackers began publishing stolen data on the dark web, initially releasing a so-called “good list” and “naughty list” that included sensitive health claims data. Further data dumps continued over the following weeks.

Sources: ABC News (Dec 2022), ABC News (Oct 2022)

What Was Exposed

Personal Data Leaked in the Breach

The breach affected 9.7 million current and former customers across Medibank, ahm, and international student policies. For approximately 480,000 customers, sensitive health claims data was also exposed, including diagnoses, procedures, and provider details.

Data TypeRisk LevelWho Was Affected
Full nameHighAll approximately 9.7 million affected customers
Date of birthHighAll approximately 9.7 million affected customers
Email addressHighAll approximately 9.7 million affected customers
Phone numberHighAll approximately 9.7 million affected customers
Home addressHighAll approximately 9.7 million affected customers
Medicare numberHighSubset of affected customers
Passport numberHighSubset of affected customers (including international students)
Health claims dataHighApproximately 480,000 customers (diagnoses, procedures, provider details, sensitive conditions)

Risk levels based on the Australian Government's PSPF and OAIC Australian Privacy Principles. Health claims data is rated at the highest level due to its sensitivity and the impossibility of changing medical history.

Confirmed NOT Exposed

Medibank confirmed that no credit card or banking details were included in the breached dataset. Driver licence numbers were also not part of the exposed data for most customers.

Company Response

What Medibank Did

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published.”
David Koczkar, Medibank CEO

Actions Taken by Medibank

  • Immediately isolated affected systems and engaged cybersecurity specialists
  • Notified the Australian Federal Police (AFP), OAIC, and Australian Cyber Security Centre (ACSC)
  • Refused to pay the US$10 million ransom demand
  • Offered affected customers access to Medibank's Cyber Response Support Program (mental health support, identity protection, and financial hardline)
  • Provided free identity monitoring through IDCARE
  • Established a dedicated response website and support line
OAIC: Notifiable Data BreachesAU Government: Cyber Sanctions

What Now?

Steps You Can Take After the Medibank Breach

This breach is particularly sensitive because it included health claims data for hundreds of thousands of customers, alongside name email date of birth phone number and home address for the broader group. Unlike a password or credit card number, health data cannot be changed or reissued, making ongoing vigilance especially important. Here are general best-practice steps, organised by the types of accounts most commonly affected.

Medibank and Health Accounts

Your health insurer account details were exposed. Other health provider accounts may share the same email.

Secure your Medibank account

~5 min
It is generally considered best practice to update the password on any Medibank, ahm, or related health insurance account associated with exposed data. Enabling MFA where available adds a significant layer of protection. Consider reviewing recent account activity for any unauthorised changes or claims.
Go to Medibank

Review other health provider accounts

Where the same email address or password has been used across health provider portals (GPs, specialists, pathology services), consider updating credentials on those accounts as well. It is worth checking whether any health provider accounts share credentials with the compromised Medibank account.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on email accounts associated with the breach is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these can be exploited to silently intercept communications.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email address. When that email is exposed in a breach, understanding which services are connected is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

Identity and Health Data Protection

Medicare numbers, passport numbers, and health claims data carry long-term identity and privacy risks.

Consider a credit ban (especially if your Medicare or passport number was exposed)

~20 min
For those whose Medicare number or passport number was included in the exposed data, the risk of identity fraud is elevated. Placing a free credit ban with Australian credit bureaus prevents new credit from being opened without additional verification.
Equifax AUExperian AU (formerly Illion)

Contact Services Australia about Medicare number misuse

~15 min
If a Medicare number was included in the breach, it is worth contacting Services Australia to discuss potential protections. A replacement Medicare card with a new number may be available in some circumstances.
Services Australia: Medicare

Recognise the ongoing nature of health data exposure

Unlike a password or credit card, exposed health claims data cannot be changed, reissued, or revoked. This means the risk from this breach is not time-limited. It is prudent to remain alert to any unexpected contact that references medical history, and to treat such contact with caution regardless of how legitimate it may appear.

Monitoring and Reporting

Australian resources for breach response and identity protection.

Stay alert for targeted phishing (including health-related scams)

Exposed name email health claims data and Medicare number may be used to craft highly convincing phishing messages. Some phishing attempts may reference specific health conditions or medical procedures to appear legitimate. Treat any unsolicited contact referencing Medibank account details or health information with caution, and verify directly through official Medibank channels.

Contact IDCARE or report to Scamwatch

IDCARE (1800 595 160) is Australia's national identity and cyber support service and provides free, tailored guidance for people affected by data breaches. Reporting to Scamwatch contributes to broader awareness and helps authorities track emerging threats.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The Medibank breach did not happen in isolation. If your data also appeared in other major Australian breaches, the combination of leaked information can build a more complete identity profile.

How breach data compounds

On its own, the Medibank breach exposed names, dates of birth, addresses, and (for a subset) health claims data and Medicare numbers. But if your email also appeared in the Optus or Latitude Financial breaches, the combined data set may include driver licence numbers, passport details, and financial information. This kind of compound exposure significantly increases the risk of identity fraud.

  • Optus (2022)9.8M records - passport, licence, Medicare numbers
  • Medibank (2022)9.7M records - health claims, Medicare details
  • Latitude Financial (2023)14M records - driver's licence, passport numbers
  • Qantas (2025)5.7M records - name, date of birth, phone, email

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Medibank Breach FAQ

Sources

  1. The Guardian: "Medibank hackers announce 'case closed' as they dump more stolen data on dark web" (Dec 2022)
  2. ABC News: "Medibank data breach: what we know" (Oct 2022)
  3. OAIC: Notifiable Data Breaches Report
  4. Australian Government Home Affairs: Cyber sanctions
  5. Australian Government: Protective Security Policy Framework (PSPF)
  6. OAIC: Australian Privacy Principles

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Medibank Private Limited. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.